It was time again last week. Another case of sensitive data that was accessible on the Internet became known. The company Cloudflare unintentionally distributed sensitive data from countless users on the Internet due to a programming error. The interesting thing about this case is, on the one hand, that it was not an attack by hackers and, on the other hand, the knowledge of how much Internet traffic is processed worldwide via Cloudflare. Since many readers have probably never heard of the name of this company, I would also like to give an answer in this article to the question of what the business model of Cloudflare is and whose data was publicly and partly still available on the Internet.
The Cloudflare company
Cloudflare operates a network of regionally distributed and internet-connected servers with which content is delivered. Such a service is called Content Delivery or Content Distribution Network, or CDN for short. This type of content delivery is about improving the speed of building the website and often about reducing bandwidth.
For example, if your website is intended for visitors from China, but your server is here in the USA, using a CDN can actually increase the access speed for Chinese users considerably.
Put simply, Cloudflare creates copies of your website and copies them to its own servers, which are distributed all over the world. When a visitor accesses the website, a load balancing system ensures that the servers that will deliver your website the fastest are always addressed. The Cloudflare servers are quasi a large, worldwide accessible page cache.
Cloudflare is a startup and has received $ 182,000,000 in capital to date. It was founded in 2009 and, in addition to the rapid dissemination of website content, also offers DDoS protection and other security services such as a web firewall. Over the years, Cloudflare’s algorithms have become more powerful. The service received a lot of media attention in 2013 when Wikileaks successfully used it to protect its own website.
Cloudflare has developed very positively in recent years and has delivered more and more content from more and more customers. To get a feel for the importance of the company for the entire Internet, here are a few figures: 7.7% of all websites worldwide use CDNs. 5.5% of them use cloud flare. This corresponds to a market share of 71.8%. The next competitor Akamai has a share of 12.7%.
Cloudflare’s DDoS protection service has become a kind of life insurance for many companies, such as online shop operators. If nothing can be sold via the online shop as a result of a DDoS attack, you will not earn any money. As more and more services do their business exclusively over the Internet, Cloudflare’s growth is becoming more understandable.
With the increasing spread of HTTPS-encrypted pages, there was a need to cache them on Cloudflare servers too.
At this point, it gets complicated because the data packets are encrypted for a good reason and distributed storage is problematic. Therefore, Cloudflare offers four ways to cache the content.
- Off: No content is conveyed via HTTPS
- Flexible: HTTPS is used within the Cloudflare infrastructure but the connection between the original site and Cloudflare is unencrypted
- Cloudflare Flexible SSL
- Cloudflare Flexible SSL
- Full: In addition to the Flexible version, communication is now also encrypted with the original site, but the certificate is not evaluated, ie it is not checked whether it is valid.
- Full (strict): Cloudflare issues the certificate itself and listens to all traffic. This means that the traffic is completely encrypted, the certificate is evaluated and the man in the middle is left behind.
The graphics are from Cloudflare itself (Introducing Strict SSL: Protecting Against a Man-in-the-Middle Attack on Origin Traffic).
All variants are “hmmm” … bad … because the original idea of HTTPS is encrypted communication from the visitor’s browser to the original server (see also CloudFlare, SSL and unhealthy security absolutism).
They are also bad because in the flexible and full variants, user sessions can be hacked, as was a foreign word for many back then in 2010 as HTTPS.
The strict variant is also not perfect, because in this case all encrypted traffic runs via Cloudflare and Cloudflare is itself the man in the middle!
Whose data was affected?
Regardless of the successful business model, said programming error was announced last week.
The Cloudflare servers seem to have been distributing encrypted content unencrypted on the Internet since September 22nd, so over 5 million websites would be affected by Cloudflare customers for almost five months. The leak between February 13 and 18 was said to be particularly bad.
The Cloudflare customers are large companies such as Uber and Zendesk, but also smaller ones like the DMTwebhosting
The data of these customers is your and my data!
Decentralized vs. central structures
Structures can be arranged centrally or de-centrally. Both concepts have advantages and disadvantages. Central systems usually work quickly and effectively, for example, an army or the structures of Amazon, Apple, Google, Facebook and many others. Central systems always offer an easy way of checking. In nature, one could simply compare it to a monoculture.
Decentralized systems, on the other hand, are slower, more complex, and more difficult to control. They are considerably less sensitive to pests and can be compared to a mixed culture in a tropical rainforest that is self-sustaining for millions of years.
In a monoculture, a single pest can bring the entire system to a standstill, in a mixed culture this is practically impossible.
The Internet is a decentralized structure, a network of autonomous computer systems with defined protocols for communication. It is pretty much the opposite of Cloudflare since it overrides this decentralized structure.
The sensible and unfortunately expensive solution to the problem would be to configure your own server “properly”.
About the author
DMTwebhosting.com‘s Editorial Team prides itself on bringing you the latest web hosting news and the best web hosting articles!
You could also link to the news and articles sections: